Wednesday, 13 April 2016

Z-wave protocol analysis using Ez-Wave

Background: Recently I was able to get my hands on a couple of IoT devices talking the propriety Z-wave protocol. Specifically I had 2 devices -

i) Z-Wave 3 in 1 PIR Motion sensor  which can detect movement, temperature and luminance.
ii) Z-Wave smart Energy Plug which can give information about the energy cosumption of the device connected to it. Also it can switch the device ON/OFF depending on the requests sent to it by a Z-Wave controller.

These devices are already deployed in many smart homes. Hence its important to analyze the security capabilities of these devices. This got me rolling and here is post about how to sniff Z-wave packets using SDR. It seems that the state of the art in pentesting any wireless comunnication protocol is by using these SDRs.

A detailed security assessment of Z-Wave protocol and Z-Wave enabled devices was presented at ShamooCon 2016 Breaking Bulbs Briskly by Bogus Broadcasts https://www.youtube.com/watch?v=IgquSEhAGvA by Joseph Hall and Ben Ramsey which details the how many Z-Wave device manufacturers disregard security and dont even encrypt the data exchanged between the Z-wave device and the Z-wave controller. This opens up possibilities of a range of attacks that can be launched on the Z-wave devices. They also release a open source tool to play around and sniff these packets called EZ-Wave . In this post i shall try to sniff some of the traffic generated by my Z-Wave devices.

EZ-wave Installation:

Install EZ-wave dependencies:

The instructions for installation are detailed on the github site @ https://github.com/AFITWiSec/EZ-Wave. However there are a number of software bundles that need to be installed especially the Gnu-radio which has a lot of dependencies. Hence instead of installing all these packages myself i used a linux distribution Pentoo Linux. (http://www.pentoo.ch/about). The advantage of using the Pentoo linux is that all the software requited for EZ-Wave installation such as GNU Radio, OsmocomSDR, HackRF host software, Wireshark etc  are all  pre-installed in the distro saving the time to install them manually.

The simplest way is to download the pentoo linux package from the downloads section of the site and then burn the image into a live USB stick. One important thing to note here is that Michael Ossmann (maker of HackRF) highly recommends in his "Introduction to SDR " tutorial (https://greatscottgadgets.com/sdr/) to not connect the HackRF to any virtual machine for performance reasons but to use it directly on the base OS.  Also on a side note if you are a newbie its highly recommended to go through at least his first tutorial where he introduces the SDR concepts  (https://greatscottgadgets.com/sdr/1/) and also the tutorial on HackRF usage. (https://greatscottgadgets.com/sdr/5/) .

We now boot from the live USB. (In case   you get an error like boot device not found press "Tab" on the keyboard and select pentoo5 OS or type it and press enter). The Pentoo linux should boot correctly. Launch an GUI using the "startx" command. In case there is no IP address allocated to the box just do a "dhcpcd eth0" to request an IP address.

Now to test that we have the HackRF software working correctly plugin the hackrf devices into the USB port and run the command "hackrf_info" . I use 2 Hackrfs since they are half-duplex and i wish to receive and transmit at the same time.


Install Scapy-Radio 

We can see that both our devices are correctly detected. Next we install the EZ-wave tool itself. We run the setup.sh script which clones the scapy framework
and then we install it.



I noticed that if you use pentoo linux then you dont need to worry about making changes to the gnu-radio config file.

Install Wireshark

We downloaded the source package for wireshark version 1.12.10 from https://www.wireshark.org/download/src/.  Copy the wireshark dissectors files to the wireshark-1.12.10/epan/dissectors. Wireshark by default tries to use Qt version5 for building the wireshark UI. This gave me errors so i choose to make my wireshark ui with gtk3. Hence its important to tell wireshark to use gtk3 library instead of qt5 libraries at the config stage. Hence our steps to build wireshark were



EZ-Wave Usage:

In order to sniff packets we start gnu-radio companion  and provide it as input the Zwave radio configuration file.

Select the Zwave.grc file to open in the gnuradio-companion

One important thing to take note of in the .grc file is the variable central frequency i.e center_freq . The European standard Z-wave devices ( which I have ) talk on 868.42 Mhz ( instead of the default central frequency hardcoded in the .grc file which is for the US Z-wave devices) and hence this variable needs to be changed to reflect the frequency of your device. To change the variable double click it and then key in the new value.

gnuradio-companion main window
After changing the .grc file we need to recompile the flow graph. Finally we can run it by pressing the play button on the top menu. (Also make sure that the python modules are in the python path environment variable else there may be some errors)

The HackRFs should now be able to pick up Z-wave packets in the vicinity. I forced the Z-wave device to send some packets by pressing the button on the device body. All the captured Z-wave packets are sent to localhost:52002 and can be seen using the wireshark and the new dissector. You can apply some filters like !icmp to remove the interrogation commands sent to the Z-wave devices.

Wireshark Z-wave packet capture

We can see the homid and nodeid of the captured Z-wave packet. The data exchanged between the Z-wave controller and the Z-wave device is also not encrypted.


1 comment:

  1. Hi, I have a question. Should I enable z-wave protocol from wireshark? I can't receive any z-wave packets and I don't found the z-wave protocol from wireshark.

    ReplyDelete